Let me shoot a question to the readers here: how are you dealing with storing secrets on local development? These could include API_KEYs, AWS_KEYs, DB_URIs, etc., required to keep your local environment up and running.
If you are doing this in any of the below ways :(, sorry you are dealing it in a wrong way!
Setting the secrets in each shell that you are running your command(npm start etc).
export API_KEY=""
export DB_URI=""
export AWS_KEY=""
Creating a .env file in your repo root and having the secrets there. Pray that you are not pushing it to version control :D
/.env
API_KEY=""
DB_URI=""
AWS_KEY=""
Worse than the above two: directly embedding the keys in the code where they are used. LOL!
OK, what are the issues in doing any of the above approach
Secrets can be leaked if mistakenly pushed to a remote origin.
Secrets can be exposed in shell history.
Manually setting secrets in each shell wastes our time and increases alot of manual errors.
Storing secrets in the codebase makes them hard to rotate or play with.
This blog is not about explaining ansible.So to keep it short, ansible is an automation tool, that can automate our process like deploying, creating developer environments etc.(basically ansible is an updated shell script).
There are so many tools that ansible has, in that ansible vault is the one that we are gonna use today, to deal with the secrets in our local development.
As stated above, we are gonna use ansible here to secure this using ansible vault.
To start with install ansible in your system(mac), you can use `brew install ansible`(If you have homebrew pacakge manager).
Create a file called secret.sh in any location(preffered one is ~/).
Paste all your secrets inside secret.sh.
export API_KEY=""
export AWS_KEY=""
export DB_URI=""
...
Now encrypt the file secret.sh, that we created using ansible-vault. This encryption uses AES256 algorithm with a password that we are gonna provide.
ansible-vault encrypt ~/secret.sh
Provide a password when prompted, Make sure not to save this password anywhere.After doing this, now when you try to view the contents inside secret.sh file, this will be encrypted.
Now, whichever shell you are using (e.g., bash, zsh, fish, etc.), edit the configuration file and add an alias called load-envs. For example, for bash, the file would be .bashrc; for zsh, it would be .zshrc, and so on.
NOTE: To know which shell you are using just do echo $SHELL
alias load-envs='function load(){ eval "$(ansible-vault view ~/secrets/secret.sh)"; }; load'
Thats it, now whenever you want to load envs before running any command, for EG: before running npm start you can simply do load-envs in that particular shell.
load-envs
npm run start
With this, our envs are secured, and it is exported on only the shell that you are running your command.
You may have a question: If our secret.sh is encrypted, how come we can add new or update the file? Just do ansible-vault edit for this.
ansible-vault edit ~/secret.sh
Yep, thats all i want to cover here, its that simple and easy to have secrets configured in our local development in more secure way. Thanks to ansible, for making this easier.
Comments are welcome, Kindly suggest anyother better approach if you guys feel, which can be safe and easy.
Oh wait, how can you guys comment, just reply back in whichever medium you got this link :(